From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A13D224EAB1; Fri, 15 Aug 2025 05:02:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234148; cv=none; b=PXCu06EnC+hswpM+DXo9yQPqGd0uCbX1jYJP+CMGb0A6mJXxlTDVoXSxcrNuTPjiUO7zwktAIClkp1aOsJ2rIHOZQLnTU2h5Es8juCmnW3uYd188UuBrqYa31Z+TtGpa/9U9hY9ADwyra/7m/H5gY79Jula6f7T6OmdNc4da5Fc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234148; c=relaxed/simple; bh=50iyDIDaT2YO4wbsbI+xVQsVXOTiCYaZir1b+W/+UM4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sRZFf2tUjLbUpNVSRLvt1/REawsMMiUxjWoBIAvhv5H/rLJPgqSefK+IMUVIESyhv4bVZ5lfOqWtmeQelADpkBu/b3aZsM5/ByMuiZIwZV6Ed0QGGcfJrxLJAZXNQkZGemvLMgTfV79xoF1kuYSEH6fS76c4eqogjuQ4qZ1sddk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PPet96ej; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PPet96ej" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2445811e19dso14341075ad.1; Thu, 14 Aug 2025 22:02:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234146; x=1755838946; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YlvxtVVZ+6JmXq5VcgRfeOHjy0BKkaatlQTyuC34hMk=; b=PPet96ejYutEjJBLY4kaHYt+Ub6Or6WdcYKP2UghKnHWZSDyXBUcff1nPUJ4Lyf4mA jSEqNlfcmpLMBhyV+um2S532aYpzSI/JNVQXLATbK70JVw/2juL8h/6BLPu0oCjOeVAt 7F/sQQE+olBg1bhRstdfSnxibQY6IujTZqN8PynEJDA0rl2iP25XzlThrjFgEQSjEi9x Co6Y0zImT+4Lh/oWTTKs0aB81N5FjkTj/muUNpW3i2gCoibLOlv18LuU2/0Io8UTKvKK uKFGf8JTiYQMh9pTfd3uLaRwFUBJvexYHKd4qU5+EnQDNars/ScaoBvA9cTrgZHQye+n vCqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234146; x=1755838946; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YlvxtVVZ+6JmXq5VcgRfeOHjy0BKkaatlQTyuC34hMk=; b=R0AwGV8J6DXDWgm3Q9dqvpG4ZjquRqHWNXgWULNPrVjs74QUvv1JIjmeWw9teZTZ/v CVBdTX9hjgrhgXUXzHRrbcYA2e/GrJ8xmK/atoNgKPx1pUODod4xp0p9ivsGlJtM1MbK OziBLXgUm5R75r3w4rwV012KkjsByqQfvwff+bdNGQIRaLRREpjXk5Ko8NTb2Wzl/U8l MkYiF3JaQKouGo6ykf4d0xXpbUZscxrQoHtNGsE5CFQoVOmwsS4025LeD6RBFYrcVkXH tOMlNC7D4PO53WCv5JpdynUhbLXqAJCNE53mf+NnxMriZxhrW74mpjodd/iMI4f1IWLe 3yqg== X-Forwarded-Encrypted: i=1; AJvYcCU1UPYnJiMFX4WUb+oRUPOLM124pwQB/b92me9CXcqXwT2fRBaL5krbs+uVpje1Jb/a6DoO9kJTqNGGzaId@vger.kernel.org, AJvYcCWQz4n3mHBDXrVLHUs88F8DBQfEd45NYUvVO7ac2EJLXTrSFg/fH7IZxxF/Sa6QCxrrS59iqfj8XL4Z@vger.kernel.org, AJvYcCXmA/2+VkibqgH21M3F26XEbaqke+17WLYi70mwv9+qeTBWaTYRoKZOJ1qY7kVW406BLiMRx3Jopv8=@vger.kernel.org, AJvYcCXputz25NKJLLgOgiNBlcYnQds1fNi5Kk1ly1P70l4hdXVGFHLHKgW8M2bEn3/uOjiZThUvrhb7@vger.kernel.org X-Gm-Message-State: AOJu0Ywx5QzEJC1+Q7xOEUhiextL3nRelHDBQmZD71XVOn6juKAkeNYO WY3Rt3ys2w1lUsZzsKLwnacUFxbWGU9JpRs2v/I1q4cBLvIlelHzWwWZ X-Gm-Gg: ASbGnctH3WV9DMWKAXTZL4xJ3UP1yINTeZyH99KrmVMvNFMIYwjUoqGFyTSmKgDKUTD 9bTEPSkObWMkN9fx+qQnAK47ALW6b6cb0E05ZB0C+FxNWc8ccVG0ZahEupCIdMze4i83Fiq/zju Ykc3OFzkEnjANdszQoGv/4B4xBAKvDTkwk0Yue30dkWXYkfvaxsaqa5CVA5Seyz17I0f3esnKrd 4pB6F8Fhjy3ho9MVGDdoHySwXXiu8dQlFDEnc0MyncYJI+Uo7T5Wc1glrFSKvgtf/skA6xWekRF MdiV8klOmDvqdCk8sKmWRvUuTG67yiaAJptZhIgPS+yz4MmlcmbtH8kFHXShMk2taERAzps2Vq/ 62JI0YoXZl7eekOSZmpCv2uzWX8kSiZHfMDsR8AV3t0RXd5O2JAJeewkLozAwuUoMg0FJRPdqzk 0Zj1jySA85uYxTbPCHHTyyBUI70js= X-Google-Smtp-Source: AGHT+IE8mGbvy+6sKOh0dqJXKQL4DmlgJQqF7LsglNO7FAjrbB5jTqDzNJkN8SaS/kgbM9ijcYzpCw== X-Received: by 2002:a17:902:d2ca:b0:243:a50:14bc with SMTP id d9443c01a7336-2446d980ee7mr12066745ad.55.1755234145832; Thu, 14 Aug 2025 22:02:25 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:25 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 1/8] net/handshake: Store the key serial number on completion Date: Fri, 15 Aug 2025 15:02:03 +1000 Message-ID: <20250815050210.1518439-2-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Allow userspace to include a key serial number when completing a handshake with the HANDSHAKE_CMD_DONE command. We then store this serial number and will provide it back to userspace in the future. This allows userspace to save data to the keyring and then restore that data later. This will be used to support the TLS KeyUpdate operation, as now userspace can resume information about a established session. Signed-off-by: Alistair Francis --- Documentation/netlink/specs/handshake.yaml | 4 ++++ drivers/nvme/host/tcp.c | 3 ++- drivers/nvme/target/tcp.c | 3 ++- include/net/handshake.h | 3 ++- include/uapi/linux/handshake.h | 1 + net/handshake/genl.c | 5 +++-- net/handshake/tlshd.c | 15 +++++++++++++-- net/sunrpc/svcsock.c | 3 ++- net/sunrpc/xprtsock.c | 3 ++- 9 files changed, 31 insertions(+), 9 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index 95c3fade7a8d..e76b10ef62f2 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -87,6 +87,9 @@ attribute-sets: name: remote-auth type: u32 multi-attr: true + - + name: key-serial + type: u32 =20 operations: list: @@ -123,6 +126,7 @@ operations: - status - sockfd - remote-auth + - key-serial =20 mcast-groups: list: diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index c0fe8cfb7229..bb7317a3f1a9 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -1673,7 +1673,8 @@ static void nvme_tcp_set_queue_io_cpu(struct nvme_tcp= _queue *queue) qid, queue->io_cpu); } =20 -static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) +static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid, + key_serial_t user_key_serial) { struct nvme_tcp_queue *queue =3D data; struct nvme_tcp_ctrl *ctrl =3D queue->ctrl; diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 470bf37e5a63..93fce316267d 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -1780,7 +1780,8 @@ static int nvmet_tcp_tls_key_lookup(struct nvmet_tcp_= queue *queue, } =20 static void nvmet_tcp_tls_handshake_done(void *data, int status, - key_serial_t peerid) + key_serial_t peerid, + key_serial_t user_key_serial) { struct nvmet_tcp_queue *queue =3D data; =20 diff --git a/include/net/handshake.h b/include/net/handshake.h index 8ebd4f9ed26e..449bed8c2557 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -18,7 +18,8 @@ enum { }; =20 typedef void (*tls_done_func_t)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_key_serial); =20 struct tls_handshake_args { struct socket *ta_sock; diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 662e7de46c54..46753116ba43 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -55,6 +55,7 @@ enum { HANDSHAKE_A_DONE_STATUS =3D 1, HANDSHAKE_A_DONE_SOCKFD, HANDSHAKE_A_DONE_REMOTE_AUTH, + HANDSHAKE_A_DONE_KEY_SERIAL, =20 __HANDSHAKE_A_DONE_MAX, HANDSHAKE_A_DONE_MAX =3D (__HANDSHAKE_A_DONE_MAX - 1) diff --git a/net/handshake/genl.c b/net/handshake/genl.c index f55d14d7b726..bf64323bb5e1 100644 --- a/net/handshake/genl.c +++ b/net/handshake/genl.c @@ -16,10 +16,11 @@ static const struct nla_policy handshake_accept_nl_poli= cy[HANDSHAKE_A_ACCEPT_HAN }; =20 /* HANDSHAKE_CMD_DONE - do */ -static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_R= EMOTE_AUTH + 1] =3D { +static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_K= EY_SERIAL + 1] =3D { [HANDSHAKE_A_DONE_STATUS] =3D { .type =3D NLA_U32, }, [HANDSHAKE_A_DONE_SOCKFD] =3D { .type =3D NLA_S32, }, [HANDSHAKE_A_DONE_REMOTE_AUTH] =3D { .type =3D NLA_U32, }, + [HANDSHAKE_A_DONE_KEY_SERIAL] =3D { .type =3D NLA_U32, }, }; =20 /* Ops table for handshake */ @@ -35,7 +36,7 @@ static const struct genl_split_ops handshake_nl_ops[] =3D= { .cmd =3D HANDSHAKE_CMD_DONE, .doit =3D handshake_nl_done_doit, .policy =3D handshake_done_nl_policy, - .maxattr =3D HANDSHAKE_A_DONE_REMOTE_AUTH, + .maxattr =3D HANDSHAKE_A_DONE_KEY_SERIAL, .flags =3D GENL_CMD_CAP_DO, }, }; diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index 081093dfd553..cb1ee8ebf2ea 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -26,7 +26,8 @@ =20 struct tls_handshake_req { void (*th_consumer_done)(void *data, int status, - key_serial_t peerid); + key_serial_t peerid, + key_serial_t user_key_serial); void *th_consumer_data; =20 int th_type; @@ -39,6 +40,8 @@ struct tls_handshake_req { =20 unsigned int th_num_peerids; key_serial_t th_peerid[5]; + + key_serial_t user_key_serial; }; =20 static struct tls_handshake_req * @@ -55,6 +58,7 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; + treq->user_key_serial =3D TLS_NO_PRIVKEY; return treq; } =20 @@ -83,6 +87,13 @@ static void tls_handshake_remote_peerids(struct tls_hand= shake_req *treq, if (i >=3D treq->th_num_peerids) break; } + + nla_for_each_attr(nla, head, len, rem) { + if (nla_type(nla) =3D=3D HANDSHAKE_A_DONE_KEY_SERIAL) { + treq->user_key_serial =3D nla_get_u32(nla); + break; + } + } } =20 /** @@ -105,7 +116,7 @@ static void tls_handshake_done(struct handshake_req *re= q, set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags); =20 treq->th_consumer_done(treq->th_consumer_data, -status, - treq->th_peerid[0]); + treq->th_peerid[0], treq->user_key_serial); } =20 #if IS_ENABLED(CONFIG_KEYS) diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 46c156b121db..3a325d7f2049 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -423,7 +423,8 @@ static void svc_tcp_kill_temp_xprt(struct svc_xprt *xpr= t) * is present" flag on the xprt and let an upper layer enforce local * security policy. */ -static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid) +static void svc_tcp_handshake_done(void *data, int status, key_serial_t pe= erid, + key_serial_t user_key_serial) { struct svc_xprt *xprt =3D data; struct svc_sock *svsk =3D container_of(xprt, struct svc_sock, sk_xprt); diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index c5f7bbf5775f..8edd095b3a40 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2591,7 +2591,8 @@ static int xs_tcp_tls_finish_connecting(struct rpc_xp= rt *lower_xprt, * @peerid: serial number of key containing the remote's identity * */ -static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid) +static void xs_tls_handshake_done(void *data, int status, key_serial_t pee= rid, + key_serial_t user_key_serial) { struct rpc_xprt *lower_xprt =3D data; struct sock_xprt *lower_transport =3D --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 326B825A640; Fri, 15 Aug 2025 05:02:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234153; cv=none; b=kSXlt6QFSRjz8Yi6LW8dnhXD1w5G2x0/wqvCNiG2Yfp4U8xvDbjTNMi23OHLirEwASjaHivjKBqKg8Qkyhi62wO8vPNUF6CwWEuIejAtuJ+FIYb6/ltU+DbKMulhPZ8U0BigtGx39QOvF8Z/attPypCqO4XT17dxXUNE3HVQ/s0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234153; c=relaxed/simple; bh=ta+733zRJHmJJTLpgqTURHJaDH15kMNwSBSlgc7Iz8k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qlyQmh8dNARryMgSnAB3Uz5NDkd71mLMhNFsaVmovH2sSgx71m3m1pYAHU0zVN37vg3a8b3VvZAakC0b1pivg1HgKO3Smeomjr2f4p77XevsapxTyFRT0jA8xj7x6SNBue1G7mWtCInpWIzIfigw0DdeQT5f1yVUdrfAfMjxWCo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ePQF3L3Q; arc=none smtp.client-ip=209.85.215.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ePQF3L3Q" Received: by mail-pg1-f180.google.com with SMTP id 41be03b00d2f7-b4717553041so1304477a12.3; Thu, 14 Aug 2025 22:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234151; x=1755838951; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4bYaR0txeJQ15MO4CAHzNGe+lgnMf7tAMLNjm+q8B+g=; b=ePQF3L3QW4dfRfjGE3IYMM8aEYbqGSy/V3QUdoAsdGGY5HaUJsFf60QGfzSzf4crAP +Wg9BB4u5VuRsia9hXOomIajUMP49wuME6wQkJAS7CZ7NCk42vrZQD0xCLzBJIz+L0UZ HFu5V5Qv3FuL7obOfGBktm7otVD6GFpat5mRxDKflQpkxvLBCBTQTlMNCqeJEa/S+/Co 4bZRV3TpUKqU35inTkgZ5Wr3drXV2BGeaQM042TunRMYLWcqMy9nEjNWtRrYqqnma2oP QkwoATEXmF36MOnJ9eBqD4OZzjvVyHt6bLNJJtwd5iM1RcBO30Iwfc4gYoRDvcL9POKO LRFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234151; x=1755838951; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4bYaR0txeJQ15MO4CAHzNGe+lgnMf7tAMLNjm+q8B+g=; b=OFqZhgVi2KIP3IF4M89igG4iNnv6Y0HGH998ZOAL2z7R1wXlVNiOIdj2BfvGl6X1nl TWrY+rCpiT0N0wFQhn3VDR8CnCMvUDZem8q9uvAsnpNLA+UyF1hQKocwwHiX4W7ufrdu TnSA9EApac0DhHmoUoBUscSZAeLd2c6ZOd40cvnDnHjEn5oCc9z+TIEZGSQ2vKj2ynTp Tj+p21hVqd0OvcKtWo+MDoo4Fgy6WQBLzorZ17FGBQpqhgkCrpZArf64S2yalFN52B5A Df1hB6WodniUhPAOZZqBzBAQFpRfnk1LO00AQsDqWDTh34Drink1pQnYVuxlPqZWqGQd E7Dg== X-Forwarded-Encrypted: i=1; AJvYcCUSzDBIdqP2FuTC4WHKgAgET+9HcoutfMOIpScSQKYia1R4rzC4vSqKNxWUjXixqvg8+bfc+XO8@vger.kernel.org, AJvYcCUbXRxP7RRttGo75oEcVZ8KuOJtjf5MP9QYXe3TdanmtZ0xQkBWKBcRLrru0xDAQ97WlOWVnQo6esCJ+vzJ@vger.kernel.org, AJvYcCUfNkAvA6gREYsUQ3h0Ac5GO3xPR4yefkjXQfj09cPsDhJShXQ6y1RaAUSfnu4R+HhbCz4GeBLNj6J9@vger.kernel.org, AJvYcCXATlFdoKsuZIgvqB9fVeVkqOkAeEtNIawdPHQIDgXnqY89jdFgc4q9gqhFQqjlUBVjZ3c0/RiCEzU=@vger.kernel.org X-Gm-Message-State: AOJu0YyYs2ovGJJgD8PDvF6tzBOn0y9IlVgwLkyqomAWdx3Rx51LmCAX N9ipUg8GZG/dWhS8WIAN5eG8phsziK8sTodMOfNYHVxF4hqzrL+q4WzG X-Gm-Gg: ASbGncvZIcjgjbDt+Vtq6X3OOH5+vCA+WZskBoO9t4Pq1FjwxsBBsQlqAP59kh2HjQ2 yuP41NL7YiktYIoXVGj9rFDV3zngi0KPAWvkDHmEJz69ASP+5d6FAyGroC0JLrgNdis1GPb8amf qkxcsegCAvhVWHYLqC33zOEymZuz0mCNMYqhQPD+RzgkucZjTkf+lFVi6ECU5FJrpdzfgLiz6XY +RHGwYfacqnY2YQCay1nPz7evqv/iaaDByGIcYldSwF3rn3WP3A5+gPzqq+UlFwqhOcPtejb85k HQp8hfd+vbBN6x6ghFu2mO+36aBmPjEboAlzjT/qHMVzCrI8U2HbZ/WvCbd8I4M1fb/FEt/YcmG nJf8PmPeU/bTHzdwgR9fTufDUJKX1mTv43HShQ3rhCi6xfMU1XaekZFOXGQbN57ncpL8nXY8XdC 0AobcjVl/NH8pbnYBbHPKBH0QWZmpkV+5XNjwfCQ== X-Google-Smtp-Source: AGHT+IHbFa9wi3nz5/xQeXOUNqL7qBn+//4+UspNBNAPh8R+al2x4L9A89Rhs1lRGLSwUr5VjjqL+A== X-Received: by 2002:a17:902:f647:b0:240:a504:cb84 with SMTP id d9443c01a7336-2446d865e0dmr13064545ad.30.1755234151526; Thu, 14 Aug 2025 22:02:31 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:31 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 2/8] net/handshake: Make handshake_req_cancel public Date: Fri, 15 Aug 2025 15:02:04 +1000 Message-ID: <20250815050210.1518439-3-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis As part of supporting KeyUpdate we are going to want to call handshake_req_cancel() to cancel an existing handshake in order to instead start a KeyUpdate request. This is required to avoid hash conflicts when handshake_req_hash_add() is called as part of submitting the KeyUpdate request. Signed-off-by: Alistair Francis --- include/net/handshake.h | 2 ++ net/handshake/handshake-test.c | 1 + net/handshake/handshake.h | 1 - 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/handshake.h b/include/net/handshake.h index 449bed8c2557..8a64729614e1 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -43,6 +43,8 @@ int tls_server_hello_psk(const struct tls_handshake_args = *args, gfp_t flags); bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); =20 +bool handshake_req_cancel(struct sock *sk); + u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg); void tls_alert_recv(const struct sock *sk, const struct msghdr *msg, u8 *level, u8 *description); diff --git a/net/handshake/handshake-test.c b/net/handshake/handshake-test.c index 55442b2f518a..c338b9977a71 100644 --- a/net/handshake/handshake-test.c +++ b/net/handshake/handshake-test.c @@ -13,6 +13,7 @@ #include #include #include +#include =20 #include #include "handshake.h" diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h index a48163765a7a..55c25eaba0f4 100644 --- a/net/handshake/handshake.h +++ b/net/handshake/handshake.h @@ -88,6 +88,5 @@ int handshake_req_submit(struct socket *sock, struct hand= shake_req *req, gfp_t flags); void handshake_complete(struct handshake_req *req, unsigned int status, struct genl_info *info); -bool handshake_req_cancel(struct sock *sk); =20 #endif /* _INTERNAL_HANDSHAKE_H */ --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C2E2242D66; Fri, 15 Aug 2025 05:02:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234160; cv=none; b=FE08mSO5WrG4q7uN/aUJbnrkAdcDmQCYUAU8xHYczFbUdwTYmXKqTnk7L77Rrjl8F5kUD1hWhYwZSb7onl+7+d3VQvssLlNhuImFZEops/puowF6tl/NmvF8UhiPr6TTsmWavdlx3YlfxqDsCdLz06UXSmLVkXnuwucFXw6q2D8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234160; c=relaxed/simple; bh=p67jO3RmrFN46SRVNjcEkPQJCdnJd8+gbJzoHF2fRPo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K1qS5IbkKRJghLJoMSF75aGDEqCEGEy1zA2hgVrCVB7t283P4UbGWGA4xp9Jat986Tvc+VVsLE9V3Etv96AnhxKu5XqBbIkk5dXyjvsHvS73eZTX3guDjjSNkjmu86TYcfZfAxwLnQdtgtrSb/earA1nRaQBZ5gJsM4f8EzphVY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aSVRoEed; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aSVRoEed" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-244580536efso12140465ad.1; Thu, 14 Aug 2025 22:02:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234157; x=1755838957; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+KvInbCUt8tTGLRjQNfEmbBCvEDs8pNQ8LImh9T5E8A=; b=aSVRoEedZISMoqLhYgXrzuOjMiMhUUCRV8I/nefbrSOn7JVSqWB6HZ54P4V9FKuGdu gDioz6OZ96Hy7RJeNANsJReSE8t0PUc9X7ok7D3Q0ybbWDXRZO59M+UsO50xA7XHVTuV 5MpZxiQNSqJsn0EO9ytlgCVzVbnfyyjwbWVRAqkzoQTbWJ36NmRl6OrBWcbfKcUcuVMl 4wrDx5h/AOPqdAmM7r+9B27WrpJV+aBY2JGEWghcQPuzhDzO3WrhnAkldKhdrQOG/FYb L2HqdRUwiPfX70cimUc6cdQ/gfgr1He9s1wrAuryBcFsYLG6IN819GXOP18C1ybnMmqb zz4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234157; x=1755838957; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+KvInbCUt8tTGLRjQNfEmbBCvEDs8pNQ8LImh9T5E8A=; b=uFxVc1XkO4nDRo2mVPNjV7KVZSUXt3DKuFHZ1/dU5vIIoC1uDV+qkOgaNnfkkgkirb fGtFm/Bidzwgpqo1pGIjsW4mqRRoidlJkNNUp8uZ6EO6MWiyUOU7Jumb640iTG3/m0r7 qQRbv/ffzvjHExfF3TTVE2JpQgpWxZ2oCoVC9W1yd6O0Y2qmdSDYU8o5/hyI+hhk53pO iTrEn3p0nAAFgMexFSznxuHLLkIBnYvDEmLWBIOk4drOxyfK4FdArIT4DCUZhUiw/naQ /58B9zvcvDdshnvfj+VWYgNFFwl7TfN2zCVyovxieQtCUQVwWbl7cvB6Phh3+AQHoqWH 7d6g== X-Forwarded-Encrypted: i=1; AJvYcCVVdc/NCbyojIZ1unWroQnCMpI3oYv+x38CLef7bNMYRozgRLn3yfIizeKZtH7RV8/8ScQK/Rd34C4Y@vger.kernel.org, AJvYcCVa+xLnNcARgj0rrL6+VXwM4a7JJQ2M8QTw4brG0qrvXquL3F4OMKPeWUJo5OvpsSNXRFmH1TaM@vger.kernel.org, AJvYcCWMHzoDlrE/pEBUDn1mhj/7ubdgVNK26yU+g5EZkW08KnDmEEo7z/30iRzIJemadHfflVvlfpmZYW0=@vger.kernel.org, AJvYcCXQAvenIjxHRTKCk4wNfTyiVwolWiFNnLAYEDD8w3QBT2jilFaXoNCQmll9EZoBj5EFbfrMAVGrYIDg+MLm@vger.kernel.org X-Gm-Message-State: AOJu0YzaGHdfxbHQh64kBzYy+CfSWAtWyBKkMPNUzc3SQOvwFFxOiinm m+7isNjYjNIeFA9lpL2zDtHk5SL6mRZWnuc6rkFxukxULp3WEJ7g9gX0 X-Gm-Gg: ASbGncsIfdyoBAZr381WP1lY676nU5dq7WhBgxfopB7nqXzRDs6huZ2UeBc4w9A+J4o 33i7RRJtEdWvjh62Nv5r2dSfycBZa0IAUkbEIV9fy7uicoGUf/XUTpITm4y/DUJxuIdp2QzB6H+ vY1apUTeyOOeLHgIrX6e9Qg9yymZiqtFvPAo4tdkRfXZlIO2ee7Pghin1soY27smOH+N2Cu7Xze dJYBP53AgV8VDY+TPt6x20bIOLM3B8Uv2zGRDxccu7r2nYsmS4nM+56yHsttCBNmlivEZrCx11I 26iaCTJlg3I9ibxfdLVmjJXiHnJCAwaLNQ75RnLu+LHfSL6ueZCvP5+C8TeUvn2JSIBCHR2On4z hGKhl7uwndft3JwzK4vZtLhS3775ZW+ExLENhOgR73Ua9KQwlXROMrBMD9tzyMF8hXMxbSjIFJa WjrUvprhheegj+TFVr3OfbiAC279g= X-Google-Smtp-Source: AGHT+IFH+OSkE7l+lj2EnSVnkTcqL9+YMNtK2tre9BkCjoc5zJE0Ky8LTNiG//ckenUsfyTJOUv3vA== X-Received: by 2002:a17:903:2f10:b0:23f:f074:415e with SMTP id d9443c01a7336-2446d6f108fmr10850335ad.14.1755234157302; Thu, 14 Aug 2025 22:02:37 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:36 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 3/8] net/handshake: Expose handshake_sk_destruct_req publically Date: Fri, 15 Aug 2025 15:02:05 +1000 Message-ID: <20250815050210.1518439-4-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Define a `handshake_sk_destruct_req()` function and expose it publically so that other subsystems can destruct the handshake req. This will be used as part of the KeyUpdate to ensure any existing requests anre cancelled and destructed if required. This is required to avoid hash conflicts when handshake_req_hash_add() is called as part of submitting the KeyUpdate request. Signed-off-by: Alistair Francis --- include/net/handshake.h | 1 + net/handshake/request.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/include/net/handshake.h b/include/net/handshake.h index 8a64729614e1..fab4760049c6 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -43,6 +43,7 @@ int tls_server_hello_psk(const struct tls_handshake_args = *args, gfp_t flags); bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); =20 +void handshake_sk_destruct_req(struct sock *sk); bool handshake_req_cancel(struct sock *sk); =20 u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg); diff --git a/net/handshake/request.c b/net/handshake/request.c index 274d2c89b6b2..bb727a9ad042 100644 --- a/net/handshake/request.c +++ b/net/handshake/request.c @@ -341,3 +341,20 @@ bool handshake_req_cancel(struct sock *sk) return true; } EXPORT_SYMBOL(handshake_req_cancel); + +/** + * handshake_sk_destruct_req - destroy an existing request + * @sk: socket on which there is an existing request + */ +void handshake_sk_destruct_req(struct sock *sk) +{ + struct handshake_req *req; + + req =3D handshake_req_hash_lookup(sk); + if (!req) + return; + + trace_handshake_destruct(sock_net(sk), req, sk); + handshake_req_destroy(req); +} +EXPORT_SYMBOL(handshake_sk_destruct_req); --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5EA62BDC35; Fri, 15 Aug 2025 05:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234165; cv=none; b=OmFjGn/hZAVpXwk3i/URag1RRb3hoBXXdFwKqLYdXCNw3C93cD0ejA+0ftB9PdVLD/g/wtlJ3A+joNf9hCUjc1ciT5Lv7bw2ty1R+uo/t2/788mQE73NRDqXn3FZrG/Q6VWM5igMlDiNgpYcOWl3bjhJa3CHBbtFXhQlmH1c96Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234165; c=relaxed/simple; bh=ZYoIAvI8JvjAy7tsXH+fX8odbelCU/L+yqvG24kV89M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=S/YQu0x47aDrDEyQYP6ninT9DWOlkTWlF8NLdXoNxW6S/jqZPMYoCwhul07clRXTOPWJhdFgQyp1+W6ijxIrxselOZZJO/F+J1LeXwQyaTYqrZhlCa8s6BandBMAHDwzmWpdms8FulrtauID1jJxAAOTC61UlP2E7ajWusjb/PU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ut2wvl9Y; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ut2wvl9Y" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2445818eb6eso13557265ad.2; Thu, 14 Aug 2025 22:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234163; x=1755838963; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1ZqqyoHZZ7YsUEio5GgDxrA+je+1nNyUxeRlVhWKQvs=; b=Ut2wvl9YtxQ7375MbhAjEsPSgsN8PuWFBe041eFUSXll/cJb7NKZzJi6JGf26nwzVi eMTKQvThE9ZZ0bnc5/J8sY5C1HCPbq1GGenKH/0lBTyAVzJJOmHZCebSxhwpPgHnVcZo nAusa1TAucQ/ch74lhQeumX9d2Xp6mlZ68rO5JGmzbGYRal95RXS0cN465HWfsqyVFpv DFKg7nos2lCHfthI33ZpnSQDWvuTyBeQHNSEcyK5ghg7lQORZgkde3zSYMar5JAEDyv9 tdwdEdIs9/v9IBy0tQdlLlAshzhaYdJAwZUzIslIj6vW+/McnrGsrqt9rasXuKSpVsXN ZEvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234163; x=1755838963; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1ZqqyoHZZ7YsUEio5GgDxrA+je+1nNyUxeRlVhWKQvs=; b=aPwcMeUPQIecykW09vSdE3DXL7c11M6rGRufOLaNBaRcvpEOA9GVrW0B9fsF/EEeRz 6F7qoyL4O14uACfO1W+VbAb/HaNomnOQXRx9oQnVXlPkT8xeI+BIsscbALN4zHbuINoh GkngC+ZIe1A+C8Wl06cFnwaL7d2YA/rMiXOL4VSpajdedqO29wlUaTy+j2RzN0x+y59l /YUxydRzPAhIKER+p28VVL26DBXR/TGNbfbTl48+POcxRi8b18HOPc9KOqcBmJTWXbyP FISfSL8uRQUYgiY8asGoW2Pb7UoZkvt7Ceh1cP2MuCzQQJOHRzxafDXiINYdzNSf2A5f 3GIg== X-Forwarded-Encrypted: i=1; AJvYcCUHGvH32IJePlVtfiuCvZfi5vgCStWHpoUgi7OUgrHnw/VwziidTwQBiinM1sPYfR8r6omi5qbkDVbh@vger.kernel.org, AJvYcCUL0DDHvM9R1r2sOmhrdkz3TemuhNnWXa7fX+9D78Zgj9oEyNSVlKNJ6hwlGwAmav28lCZf53iSo2Y=@vger.kernel.org, AJvYcCWrQr1g6gLmQB/id/ziNJJOXGZ/EJ0kXCz/DbL/g+Z5Vm3I8j5N1FLwU+b/+FgrllwJ9vkFPZHm@vger.kernel.org, AJvYcCXPkUhHMX3E7SApDKpK2lD+CIySILvK6ehyjweU85+YrAz8BhHmBuDhaYcXKyv4HJumK9PHa41MlGt+dtFg@vger.kernel.org X-Gm-Message-State: AOJu0YyaC2/6lJQQs3Qoq8PrY159BWwECV0xmY3vLfGj7CT7jUz937UL Xn3G8CmF8m6CHnlaHrnaVOcofKeZpnOeFv0m9gCVhsUFX/c7DAA1x4Gt X-Gm-Gg: ASbGncsJpvZkLUZfrqJ54eSEwe4Ca25e5mu/WiIkiPS33Tsuhj1DsAu+UnOcQBhnF/k H0B3HeaSWrU2OrPu0HA6JpvsXNoHTG+dUInP8fws2PW1PqmP/A7yo16Sy0H0yW4m+xObcI3s1PY Q7y9521ulNjWA0p5MoZn77w6ervnHR83NY4jTcs9lTfCPIVoaSByxSL7tAajWC6WgdCtwyKbZX2 r3xUHCuzgCOY/jcurOzDCsyQrW4dlU3tb/ag1tBN3RUh5+SfjvBskAlNvfjO29owfKkF25qbL9J 36QslylZoP+XqVzR7Fu+k18gXaPhJzU53EAG0qyrMCu/dH/5B4obVHL/uj4BOETLnI5o/FidZy0 fr5je96jHy9hGLzGwIPvsOroML4lTbOf2SNfUBuwpD8nCgXkAvR5UHeHQKLefJTuyhLNNSjL9GQ cVQgHgXqrfOFgAsQGcDuhEcofMacg= X-Google-Smtp-Source: AGHT+IG4eNpFbbY6CONpalTmgGqMktH1B9il2WlkRC8J04INCl901SG/4g+axvWD8CC3sg/+QQBV8g== X-Received: by 2002:a17:903:1c7:b0:242:9bbc:3647 with SMTP id d9443c01a7336-2446d9e45ebmr10879945ad.57.1755234163041; Thu, 14 Aug 2025 22:02:43 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:42 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 4/8] tls: Allow callers to clear errors Date: Fri, 15 Aug 2025 15:02:06 +1000 Message-ID: <20250815050210.1518439-5-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis As part of supporting KeyUpdate we are going to pass errors up to the callers of TLS to indaicate a KeyUpdate. Those layers will need to handle the KeyUpdate and as part of that clear the error. Signed-off-by: Alistair Francis --- include/net/tls.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/net/tls.h b/include/net/tls.h index 857340338b69..7de960225da2 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -493,6 +493,13 @@ static inline bool tls_offload_tx_resync_pending(struc= t sock *sk) =20 struct sk_buff *tls_encrypt_skb(struct sk_buff *skb); =20 +static inline void tls_clear_err(struct sock *sk) +{ + WRITE_ONCE(sk->sk_err, 0); + /* Paired with smp_rmb() in tcp_poll() */ + smp_wmb(); +} + #ifdef CONFIG_TLS_DEVICE void tls_device_sk_destruct(struct sock *sk); void tls_offload_tx_resync_request(struct sock *sk, u32 got_seq, u32 exp_s= eq); --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CBE6184E; Fri, 15 Aug 2025 05:02:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234171; cv=none; b=GndYuci2EcQ79M6U3aS/iC2rbkWpbUqOJYkSKzdo6owNJVZLWPN6sVAtkDO2sLOqdgH7O7CbN1+ZccizAl/1g4jm81KkEiBh+uJwuANvzOlPM8lE97fVkvvAeGA+99OmebTpdekuXwzBxGizwFDreKWUrcy19Y9gcxukK+OYXlg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234171; c=relaxed/simple; bh=uc9YZwdTu6vjMHyC1DDyDPSVOBUSC6MVMTV9ezoWOD0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lSfXtWtHS87ZL3eHdgedIlHuv4bugs2cJQI0SZw+WxHFEY/gTL6X9eq/AQ0spyD56clgIqoHL1fEpYtFe63EgE8do90XxRsaR6zlxSyuROSQ9rbAjJ0fOg8B4qh7Q3TrkzvSghZhRJIVM/qNf7NBc5/UKj+ICe81FxRaHoM3qf0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nAyg9Jbr; arc=none smtp.client-ip=209.85.215.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nAyg9Jbr" Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-b47173a03ffso1008946a12.1; Thu, 14 Aug 2025 22:02:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234169; x=1755838969; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7d7zGS9Yv26ZPzVs4PTbVzcVRRnuE09pH1oWJaHcRro=; b=nAyg9JbrUdN7YCmhfBVinYUZwlf1zLKzB66tHGNDXH0mkjcndpak0r6nf7HUliKRzL Dvdor1f91GOT6ib1nJrN6MBK7wr/TH94iYIodtOzp/ac4+NK6+ukFaYj7GzJ10fjJtFV FLiZuqZtj13/WubZKcIihvicT75aOJyyHlRxRXhkj2f15FTSra916SfsnPbdcRPFKqp/ KucGILnWDl+4wspzCc74lPDOAbk3CiX5BQUf6riw0hlJAU2GVJvKtOd8atCwORj7vI0U fElRBgLhbrTbGMAzULQ6vrb1G9536QohAnwkmhJ0tIfAZMGoZBVh4Ee7m6rgfNPZd7ok lHjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234169; x=1755838969; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7d7zGS9Yv26ZPzVs4PTbVzcVRRnuE09pH1oWJaHcRro=; b=JbElC6r7Vpeeg8tZrEOYAd8+pVL19yy+CjHVmjAkZU9UMnu+9XWvt7CJ92PwPTXxyv Wi8CxdMNXvMeZTb/z8dfI6lzLz0r1YRbUJ1K4Uw9Uu2sXfzzdLfn6LFTl8z4/vcKgD+y 0dwCayCz3D+woaN8JK1brXhq53e52FyVbDeno/b2FA5dArYB5V9MNVU9C9ziOGkyXwoO Sles3aqDDV+ZWw0oORZY5dgGUiKfjgE4StFvlYL+H147M2OHJ4LgKUMGNCWp2z4ztbPU F2bH6ttGdditWyDGT0RnmLIrsExk4MSK9FQio0l0iNJ8GZJm6PUB0SWg0PpXE8neJb4G I2og== X-Forwarded-Encrypted: i=1; AJvYcCUGsKXVtV4uh91mwbjLq0dNu929LmTJEHAaR7gvwR8FwbiKFI1rWRwWYiUnRnQKZbAFEGjoLcoFtz7t@vger.kernel.org, AJvYcCV0d+zpBLu0od4gZBKnmBB+A2yjwZLsFpMjbo6Gtm8x376qhYSSOW2AUOgzunZw2QtW+bilX8aoLzs=@vger.kernel.org, AJvYcCWeeRe9ojk87wzsbbEqXAe7mnvJkTD7iKDBgl3zzO0CunrnAPHsHjyeXX9ADBXsfvZx6TBBNDx9@vger.kernel.org, AJvYcCXbg7rVRWsgzuBJzZofG47ZjMFr5eYefeykNCADTLq6RlO1yn22K1txHUXvGAIOkEmNQc18Z8dl+mDa/OnS@vger.kernel.org X-Gm-Message-State: AOJu0YykuHZ0UagzKBUqrnSwtVpdB/1UbrmYai3KthHNoO2JdlEUmDf/ dR7RRIGbWwxGO+cdZ45rsb7QmeeTZjNY9tM/h4XOYCaoThSot+qHYtFw X-Gm-Gg: ASbGncsrYSNDZJ3iM9KrEZ0gi8/ADjhLp4QrynxhFqlVuB1btHnsahRTI4W0R7pJvIS SoofSbUD3ZonkxeMANDNnsQpnME3ltipz+YM8jOlft6CfySZszRQop2hwWj7xTtdXbGQUalkl8C UfYnv4/GuWwvqxTjjVcfQqUlCVNt3nyDIE+0XBl7SqkMjQddk/fCZqmi/vr6T3D5s90r2amgDBg MkMKoeW+PdnwtsR9c3CAhxZKxCDt09XJUU8uHtGMF1hNpVxw0i05mfKM/9bGyz6jNphSzAZoB6o +9NGA0Z/7Vf7p8/7zzx2mmVGk4uPaxV1Heh6JBeNOiijVNE6S0tuo88v5rJVI9xuYmZwIHbwLRN oix/6bCYLDj81ufWQIllvurz5j+5ssM/EGNptlHIFIzdlLDmP4Ed0HQ1eKuyHPf4yN7zxCQy5GJ 3SiZ4/KSe/CiyCsrgbHlg3AqHwKnI= X-Google-Smtp-Source: AGHT+IFTGcov0+aWkKYCnNTsUBtDo1QWOO20Fpd9BJJ7unGopC+vkw10J9LX6yAJ5mZ4E7jFPDrOZg== X-Received: by 2002:a17:903:8c5:b0:242:b315:dda7 with SMTP id d9443c01a7336-2446d6eef09mr10803535ad.3.1755234168765; Thu, 14 Aug 2025 22:02:48 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:48 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 5/8] net/handshake: Support KeyUpdate message types Date: Fri, 15 Aug 2025 15:02:07 +1000 Message-ID: <20250815050210.1518439-6-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis When reporting the msg-type to userspace let's also support reporting KeyUpdate events. This supports reporting a client/server event and if the other side requested a KeyUpdateRequest. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- Documentation/netlink/specs/handshake.yaml | 15 +++++++++- Documentation/networking/tls-handshake.rst | 4 +-- drivers/nvme/host/tcp.c | 12 ++++++-- drivers/nvme/target/tcp.c | 11 ++++++-- include/net/handshake.h | 11 ++++++-- include/uapi/linux/handshake.h | 13 +++++++++ net/handshake/tlshd.c | 33 ++++++++++++++++++---- 7 files changed, 83 insertions(+), 16 deletions(-) diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/net= link/specs/handshake.yaml index e76b10ef62f2..8e6275af1ff8 100644 --- a/Documentation/netlink/specs/handshake.yaml +++ b/Documentation/netlink/specs/handshake.yaml @@ -21,12 +21,17 @@ definitions: type: enum name: msg-type value-start: 0 - entries: [unspec, clienthello, serverhello] + entries: [unspec, clienthello, serverhello, clientkeyupdate, clientkey= updaterequest, serverkeyupdate, serverkeyupdaterequest] - type: enum name: auth value-start: 0 entries: [unspec, unauth, psk, x509] + - + type: enum + name: key-update-type + value-start: 0 + entries: [unspec, send, received, received_request_update] =20 attribute-sets: - @@ -74,6 +79,13 @@ attribute-sets: - name: keyring type: u32 + - + name: key-update-request + type: u32 + enum: key-update-type + - + name: key-serial + type: u32 - name: done attributes: @@ -116,6 +128,7 @@ operations: - certificate - peername - keyring + - key-serial - name: done doc: Handler reports handshake completion diff --git a/Documentation/networking/tls-handshake.rst b/Documentation/net= working/tls-handshake.rst index 6f5ea1646a47..64a70847bd8b 100644 --- a/Documentation/networking/tls-handshake.rst +++ b/Documentation/networking/tls-handshake.rst @@ -108,7 +108,7 @@ To initiate a client-side TLS handshake with a pre-shar= ed key, use: =20 .. code-block:: c =20 - ret =3D tls_client_hello_psk(args, gfp_flags); + ret =3D tls_client_hello_psk(args, gfp_flags, handshake_key_update_type); =20 However, in this case, the consumer fills in the @ta_my_peerids array with serial numbers of keys containing the peer identities it wishes @@ -138,7 +138,7 @@ or =20 .. code-block:: c =20 - ret =3D tls_server_hello_psk(args, gfp_flags); + ret =3D tls_server_hello_psk(args, gfp_flags, handshake_key_update_type); =20 The argument structure is filled in as above. =20 diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index bb7317a3f1a9..cc3332529355 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -19,6 +19,7 @@ #include #include #include +#include =20 #include "nvme.h" #include "fabrics.h" @@ -205,6 +206,10 @@ static struct workqueue_struct *nvme_tcp_wq; static const struct blk_mq_ops nvme_tcp_mq_ops; static const struct blk_mq_ops nvme_tcp_admin_mq_ops; static int nvme_tcp_try_send(struct nvme_tcp_queue *queue); +static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, + struct nvme_tcp_queue *queue, + key_serial_t pskid, + handshake_key_update_type keyupdate); =20 static inline struct nvme_tcp_ctrl *to_tcp_ctrl(struct nvme_ctrl *ctrl) { @@ -1708,7 +1713,8 @@ static void nvme_tcp_tls_done(void *data, int status,= key_serial_t pskid, =20 static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, struct nvme_tcp_queue *queue, - key_serial_t pskid) + key_serial_t pskid, + handshake_key_update_type keyupdate) { int qid =3D nvme_tcp_queue_id(queue); int ret; @@ -1730,7 +1736,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, args.ta_timeout_ms =3D tls_handshake_timeout * 1000; queue->tls_err =3D -EOPNOTSUPP; init_completion(&queue->tls_complete); - ret =3D tls_client_hello_psk(&args, GFP_KERNEL); + ret =3D tls_client_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { dev_err(nctrl->device, "queue %d: failed to start TLS: %d\n", qid, ret); @@ -1880,7 +1886,7 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nct= rl, int qid, =20 /* If PSKs are configured try to start TLS */ if (nvme_tcp_tls_configured(nctrl) && pskid) { - ret =3D nvme_tcp_start_tls(nctrl, queue, pskid); + ret =3D nvme_tcp_start_tls(nctrl, queue, pskid, HANDSHAKE_KEY_UPDATE_TYP= E_UNSPEC); if (ret) goto err_init_connect; } diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 93fce316267d..5eaab9c858be 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -214,6 +214,10 @@ static struct workqueue_struct *nvmet_tcp_wq; static const struct nvmet_fabrics_ops nvmet_tcp_ops; static void nvmet_tcp_free_cmd(struct nvmet_tcp_cmd *c); static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd); +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue, + handshake_key_update_type keyupdate); +#endif =20 static inline u16 nvmet_tcp_cmd_tag(struct nvmet_tcp_queue *queue, struct nvmet_tcp_cmd *cmd) @@ -1833,7 +1837,8 @@ static void nvmet_tcp_tls_handshake_timeout(struct wo= rk_struct *w) kref_put(&queue->kref, nvmet_tcp_release_queue); } =20 -static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue) +static int nvmet_tcp_tls_handshake(struct nvmet_tcp_queue *queue, + handshake_key_update_type keyupdate) { int ret =3D -EOPNOTSUPP; struct tls_handshake_args args; @@ -1852,7 +1857,7 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue) args.ta_keyring =3D key_serial(queue->port->nport->keyring); args.ta_timeout_ms =3D tls_handshake_timeout * 1000; =20 - ret =3D tls_server_hello_psk(&args, GFP_KERNEL); + ret =3D tls_server_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { kref_put(&queue->kref, nvmet_tcp_release_queue); pr_err("failed to start TLS, err=3D%d\n", ret); @@ -1934,7 +1939,7 @@ static void nvmet_tcp_alloc_queue(struct nvmet_tcp_po= rt *port, sk->sk_data_ready =3D port->data_ready; write_unlock_bh(&sk->sk_callback_lock); if (!nvmet_tcp_try_peek_pdu(queue)) { - if (!nvmet_tcp_tls_handshake(queue)) + if (!nvmet_tcp_tls_handshake(queue, HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC)) return; /* TLS handshake failed, terminate the connection */ goto out_destroy_sq; diff --git a/include/net/handshake.h b/include/net/handshake.h index fab4760049c6..8f791c55edc9 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -10,6 +10,10 @@ #ifndef _NET_HANDSHAKE_H #define _NET_HANDSHAKE_H =20 +#include + +#define handshake_key_update_type u32 + enum { TLS_NO_KEYRING =3D 0, TLS_NO_PEERID =3D 0, @@ -32,13 +36,16 @@ struct tls_handshake_args { key_serial_t ta_my_privkey; unsigned int ta_num_peerids; key_serial_t ta_my_peerids[5]; + key_serial_t user_key_serial; }; =20 int tls_client_hello_anon(const struct tls_handshake_args *args, gfp_t fla= gs); int tls_client_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); -int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate); int tls_server_hello_x509(const struct tls_handshake_args *args, gfp_t fla= gs); -int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s); +int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate); =20 bool tls_handshake_cancel(struct sock *sk); void tls_handshake_close(struct socket *sock); diff --git a/include/uapi/linux/handshake.h b/include/uapi/linux/handshake.h index 46753116ba43..f615b8226dba 100644 --- a/include/uapi/linux/handshake.h +++ b/include/uapi/linux/handshake.h @@ -19,6 +19,10 @@ enum handshake_msg_type { HANDSHAKE_MSG_TYPE_UNSPEC, HANDSHAKE_MSG_TYPE_CLIENTHELLO, HANDSHAKE_MSG_TYPE_SERVERHELLO, + HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE, + HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATEREQUEST, + HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE, + HANDSHAKE_MSG_TYPE_SERVERKEYUPDATEREQUEST, }; =20 enum handshake_auth { @@ -28,6 +32,13 @@ enum handshake_auth { HANDSHAKE_AUTH_X509, }; =20 +enum handshake_key_update_type { + HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC, + HANDSHAKE_KEY_UPDATE_TYPE_SEND, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED_REQUEST_UPDATE, +}; + enum { HANDSHAKE_A_X509_CERT =3D 1, HANDSHAKE_A_X509_PRIVKEY, @@ -46,6 +57,8 @@ enum { HANDSHAKE_A_ACCEPT_CERTIFICATE, HANDSHAKE_A_ACCEPT_PEERNAME, HANDSHAKE_A_ACCEPT_KEYRING, + HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + HANDSHAKE_A_ACCEPT_KEY_SERIAL, =20 __HANDSHAKE_A_ACCEPT_MAX, HANDSHAKE_A_ACCEPT_MAX =3D (__HANDSHAKE_A_ACCEPT_MAX - 1) diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c index cb1ee8ebf2ea..ceedb2e78697 100644 --- a/net/handshake/tlshd.c +++ b/net/handshake/tlshd.c @@ -41,6 +41,8 @@ struct tls_handshake_req { unsigned int th_num_peerids; key_serial_t th_peerid[5]; =20 + int th_key_update_request; + key_serial_t user_key_serial; }; =20 @@ -58,7 +60,8 @@ tls_handshake_req_init(struct handshake_req *req, treq->th_num_peerids =3D 0; treq->th_certificate =3D TLS_NO_CERT; treq->th_privkey =3D TLS_NO_PRIVKEY; - treq->user_key_serial =3D TLS_NO_PRIVKEY; + treq->user_key_serial =3D args->user_key_serial; + return treq; } =20 @@ -265,6 +268,16 @@ static int tls_handshake_accept(struct handshake_req *= req, break; } =20 + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEY_SERIAL, + treq->user_key_serial); + if (ret < 0) + goto out_cancel; + + ret =3D nla_put_u32(msg, HANDSHAKE_A_ACCEPT_KEY_UPDATE_REQUEST, + treq->th_key_update_request); + if (ret < 0) + goto out_cancel; + genlmsg_end(msg, hdr); return genlmsg_reply(msg, info); =20 @@ -348,7 +361,8 @@ EXPORT_SYMBOL(tls_client_hello_x509); * %-ESRCH: No user agent is available * %-ENOMEM: Memory allocation failed */ -int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s) +int tls_client_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate) { struct tls_handshake_req *treq; struct handshake_req *req; @@ -362,7 +376,11 @@ int tls_client_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) if (!req) return -ENOMEM; treq =3D tls_handshake_req_init(req, args); - treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTHELLO; + if (keyupdate !=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTKEYUPDATE; + else + treq->th_type =3D HANDSHAKE_MSG_TYPE_CLIENTHELLO; + treq->th_key_update_request =3D keyupdate; treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; treq->th_num_peerids =3D args->ta_num_peerids; for (i =3D 0; i < args->ta_num_peerids; i++) @@ -410,7 +428,8 @@ EXPORT_SYMBOL(tls_server_hello_x509); * %-ESRCH: No user agent is available * %-ENOMEM: Memory allocation failed */ -int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s) +int tls_server_hello_psk(const struct tls_handshake_args *args, gfp_t flag= s, + handshake_key_update_type keyupdate) { struct tls_handshake_req *treq; struct handshake_req *req; @@ -419,7 +438,11 @@ int tls_server_hello_psk(const struct tls_handshake_ar= gs *args, gfp_t flags) if (!req) return -ENOMEM; treq =3D tls_handshake_req_init(req, args); - treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERHELLO; + if (keyupdate !=3D HANDSHAKE_KEY_UPDATE_TYPE_UNSPEC) + treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERKEYUPDATE; + else + treq->th_type =3D HANDSHAKE_MSG_TYPE_SERVERHELLO; + treq->th_key_update_request =3D keyupdate; treq->th_auth_mode =3D HANDSHAKE_AUTH_PSK; treq->th_num_peerids =3D 1; treq->th_peerid[0] =3D args->ta_my_peerids[0]; --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FF222BE7C6; Fri, 15 Aug 2025 05:02:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234176; cv=none; b=JT8QgJlGV4ESxELam2Y+MH+/qHt2z4UBfUqS3OEdNhOCyxcXSfB4SHrUn0AtSACVQGtFqVkbF3oMiff0FtUey+MdfKrSLilSikUZZ//WgI6tEkTdh2Lw8gQbwQUp/ot6oVb2LcWujO79tRy9V4Re4m8Jf1F/nnBBNLDH/qRzyy0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234176; c=relaxed/simple; bh=YXGFLVw6nrmtEUTY7T4USYOqb/CEvYKMmsg3TPj1WY4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Bs5kjGIZbWeuXdznW8+9sSfjgKbMGlx8k+n6sM9Xw5JvQWQj+BKCk/n9uy6dMQrR8yV7v3AyHmIuR89ePpim5WtOZOJBsca2x1PQRyjdJfBYcRpQSzELXzRxJnUq1yNQvFxQogCHnvkjCHS6HIXdb+tRjEj/c/WXUxI74JPV0uc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eFmsFRKE; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eFmsFRKE" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-24458195495so11077315ad.2; Thu, 14 Aug 2025 22:02:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234174; x=1755838974; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=neDuK8ZnEoxPuomsrzouDeck0u2jESUqvyfxmr3mZPY=; b=eFmsFRKEwiNbVVFnf6dvnzxdFqX+fS2/J9UJdWCW1iumXsDlkbTR66tISFYnL0UOzS lXp3BJMGeUrMJxA9EdBgTEjsskdK1eUJJWk/8zoqdGKUEwQxjQXEfZ/wMkE7riGpKjeA /P3uL2py/KLsqDvCTiKFebVumc2lVGVSuomQrd7nysF+sPawuvMpbjxCS564pdgoP11h QL35WAruvE36XTmPZYZJE6Nvd9kOiwHdX/yQkoP3CZOA7WLjauIeCTo8DF0xEQLu3HMO sW3ZP2uCyoro4MGU3j285WVlQHcHdgbheWNcRNDVxzdl9/7Z9jbN3ZOAJt0rgdN9Qc/V LN+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234174; x=1755838974; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=neDuK8ZnEoxPuomsrzouDeck0u2jESUqvyfxmr3mZPY=; b=gZtNOapV1AGt3gftoFmY/+RtqJ2eZFvTjuPnIYcK85yjn9nKjFHO4Tri6OFOCsTvMD UX0GEkwSzSgKMyVmwuTEJZerie/CJm7G0FwcQAC0q8dAaOBoOa2kC+1K/7U128wTdtxD UY1YixHQTBO2pe3Vsi1uybfeQ+Ok6uew1wfyYh0rTqJvjWk0wwIOFTjrEzo9wTXT5udb 6rc7gey2ab5WTpjrWeCZhRV82h5m4oKwtXByiPrxXEHssi5n7Ehl6Y9J10jTrLqyd+Iz RWIMD8PL58r+bmO4XPlcxILHsW2pByQfr4EIsdWDToFiGBAAkcji7oHBn575itGweFRu 1FuA== X-Forwarded-Encrypted: i=1; AJvYcCV1hRIsWQXKe3TXpElV5OsjeIEDBh7soXqD6c31gLe6VajXVIOKSxzcCCPt1S1mxAJesr+6FlMynNrh@vger.kernel.org, AJvYcCW8mr8EWjkHnZVxcP2wLwHZVQa4EqzFwLfVxsNAHpfTCwZ7eQrDqOC10L2X3SEewEJDrWbzJZWU@vger.kernel.org, AJvYcCWsoyL2WJWkBI74WiQDUu17ex8HB5ZqKCKDUUkid/Cn2SUiUJVIbMAB6UnMsbISS4lVoMEtv7zvdM1obBvX@vger.kernel.org, AJvYcCXEopHvOUd0dL6K+4T1DfOYGFq/mH/NAXFZSlz8hdgugfFAe9xUyCgQwyaswKdxrRLLaRWCBGjycro=@vger.kernel.org X-Gm-Message-State: AOJu0Yz1COYZADZ3k7a8HjAw0ePExRx7JWBdvatCn+uy1vZWEDgRlpr9 QgtppuVdEA7XrCJLisnhXF4+zoXl4AOCNaLwY9VElKd3GRbzzFd34OevITNcPw== X-Gm-Gg: ASbGnctcKsnyjtihHUN6iM8VihdLxeq4/dJ8T/7FODcFqqxIwz0/U8N6V0ZxWX9Pvxw S4xv1T0VLMyvp0Ymx+TG1mP4lRRhHmvRg/Svkxxrkfmj/VKG7YMMOu+HasbdyoheyN3MW3Gobsp BnPcygyi+k5p/FU26eJP9CZbosdMvTqlJRqgjr3MOtFcA7VsE7p+Giy7qH6HjI8kMbfUEvclOU8 AiM4Hz/tQJZ3iB/vIeUSNqybNRimzwG/1vE8Z87U233y7sQLsF7FG6vcZMvsZX6B8oA+dodiVVr 7N7JPmF2BFNLCHtloifywe+ek6WoKTE8vjpvokH//4HhQYBZYtWAUo7kzy5KAb0k3mxANrgnfwX EK8f3xQ3icfvZJPRA4pSxFkgeJd2pqZxzBZx1TNyp68WOhmUqUV35srz9FyPxV+BR9l4yVaATNR NeqgtaBF0tIwCnVRRr8URELUvX6qk= X-Google-Smtp-Source: AGHT+IG8imeIhOp6Kh+mvcy3i3tVkeltm9bQmEjxAgXG7n6od8szlHMMpip15QOuUZGKPgir+jkAGg== X-Received: by 2002:a17:902:e74b:b0:240:70d4:85d9 with SMTP id d9443c01a7336-2446cba36cbmr13771535ad.0.1755234174437; Thu, 14 Aug 2025 22:02:54 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:54 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 6/8] nvme-tcp: Support KeyUpdate Date: Fri, 15 Aug 2025 15:02:08 +1000 Message-ID: <20250815050210.1518439-7-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis If the nvme_tcp_try_send() or nvme_tcp_try_recv() functions return EKEYEXPIRED then the underlying TLS keys need to be updated. This occurs on an KeyUpdate event. If the NVMe Target (TLS server) initiates a KeyUpdate this patch will allow the NVMe layer to process the KeyUpdate request and forward the request to userspace. Userspace must then update the key to keep the connection alive. This patch allows us to handle the NVMe target sending a KeyUpdate request without aborting the connection. At this time we don't support initiating a KeyUpdate. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- drivers/nvme/host/tcp.c | 63 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index cc3332529355..0c14d3ad58af 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -171,6 +171,7 @@ struct nvme_tcp_queue { bool tls_enabled; u32 rcv_crc; u32 snd_crc; + key_serial_t user_key_serial; __le32 exp_ddgst; __le32 recv_ddgst; struct completion tls_complete; @@ -1313,6 +1314,7 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *q= ueue) struct nvme_tcp_request *req; unsigned int noreclaim_flag; int ret =3D 1; + enum nvme_ctrl_state state =3D nvme_ctrl_state(&(queue->ctrl->ctrl)); =20 if (!queue->request) { queue->request =3D nvme_tcp_fetch_request(queue); @@ -1347,6 +1349,29 @@ static int nvme_tcp_try_send(struct nvme_tcp_queue *= queue) done: if (ret =3D=3D -EAGAIN) { ret =3D 0; + } else if (ret =3D=3D -EKEYEXPIRED && + state !=3D NVME_CTRL_CONNECTING && + state !=3D NVME_CTRL_RESETTING) { + int qid =3D nvme_tcp_queue_id(queue); + + dev_dbg(queue->ctrl->ctrl.device, + "updating key for queue %d\n", qid); + + nvme_change_ctrl_state(&(queue->ctrl->ctrl), NVME_CTRL_RESETTING); + tls_clear_err(queue->sock->sk); + handshake_req_cancel(queue->sock->sk); + handshake_sk_destruct_req(queue->sock->sk); + + ret =3D nvme_tcp_start_tls(&(queue->ctrl->ctrl), + queue, queue->ctrl->ctrl.tls_pskid, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED); + + if (ret < 0) { + dev_err(queue->ctrl->ctrl.device, + "failed to update the keys %d\n", ret); + nvme_tcp_fail_request(queue->request); + nvme_tcp_done_send_req(queue); + } } else if (ret < 0) { dev_err(queue->ctrl->ctrl.device, "failed to send request %d\n", ret); @@ -1383,6 +1408,7 @@ static void nvme_tcp_io_work(struct work_struct *w) do { bool pending =3D false; int result; + enum nvme_ctrl_state state =3D nvme_ctrl_state(&(queue->ctrl->ctrl)); =20 if (mutex_trylock(&queue->send_mutex)) { result =3D nvme_tcp_try_send(queue); @@ -1396,8 +1422,34 @@ static void nvme_tcp_io_work(struct work_struct *w) result =3D nvme_tcp_try_recv(queue); if (result > 0) pending =3D true; - else if (unlikely(result < 0)) + else if (unlikely(result < 0)) { + if (result =3D=3D -EKEYEXPIRED && + state !=3D NVME_CTRL_CONNECTING && + state !=3D NVME_CTRL_RESETTING) { + int qid =3D nvme_tcp_queue_id(queue); + + dev_dbg(queue->ctrl->ctrl.device, + "updating key for queue %d\n", qid); + + nvme_change_ctrl_state(&(queue->ctrl->ctrl), NVME_CTRL_RESETTING); + tls_clear_err(queue->sock->sk); + handshake_req_cancel(queue->sock->sk); + handshake_sk_destruct_req(queue->sock->sk); + + result =3D nvme_tcp_start_tls(&(queue->ctrl->ctrl), + queue, queue->ctrl->ctrl.tls_pskid, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED); + + if (result < 0) { + dev_err(queue->ctrl->ctrl.device, + "failed to update the keys %d\n", result); + nvme_tcp_fail_request(queue->request); + nvme_tcp_done_send_req(queue); + } + } + return; + } =20 /* did we get some space after spending time in recv? */ if (nvme_tcp_queue_has_pending(queue) && @@ -1705,6 +1757,7 @@ static void nvme_tcp_tls_done(void *data, int status,= key_serial_t pskid, ctrl->ctrl.tls_pskid =3D key_serial(tls_key); key_put(tls_key); queue->tls_err =3D 0; + queue->user_key_serial =3D user_key_serial; } =20 out_complete: @@ -1734,6 +1787,7 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, keyring =3D key_serial(nctrl->opts->keyring); args.ta_keyring =3D keyring; args.ta_timeout_ms =3D tls_handshake_timeout * 1000; + args.user_key_serial =3D queue->user_key_serial; queue->tls_err =3D -EOPNOTSUPP; init_completion(&queue->tls_complete); ret =3D tls_client_hello_psk(&args, GFP_KERNEL, keyupdate); @@ -1742,7 +1796,14 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctr= l, qid, ret); return ret; } + if (keyupdate) { + dev_dbg(nctrl->device, + "queue %d: TLS keyupdate complete\n", qid); + return 0; + } + ret =3D wait_for_completion_interruptible_timeout(&queue->tls_complete, t= mo); + if (ret <=3D 0) { if (ret =3D=3D 0) ret =3D -ETIMEDOUT; --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22129272E67; Fri, 15 Aug 2025 05:03:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234182; cv=none; b=WgB+bjq0/YBpOl2ecrP/LZwXtbJi09iLDMLs9GUGhcZjAylrH9p9IJg05mK4fhFETiS5RnsOrAY+Mg0QSEJxP2qvoNGD1g/uSV3Fkm4n6WRRXncGuBKLvJALJLENeaBbIe1WVvuy0JCjMlB0ZXOl9OBB2HNnrjCWaktHY9FFWEY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234182; c=relaxed/simple; bh=mxfjGVRdFypJIneNgJQfCt5r3cUJE/yR+JCsjk/Oi90=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BmlUh6aFDdsamk0QFjTSp64/KuLY1g9ernMo7R2zZ0VhPS8DDBREoXqeIhvHzcP2rROYQfBA+gONwWXSrhJxyCl7Ri6uAni09mTJNrAUMK62wBO2VwZIAX8dFIlQTRojvuZHsxf0Qn5tSFCtlZ1bV/T6kkoI8Z3cTi5EqjPZTxY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YA+2Fbe5; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YA+2Fbe5" Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-b47174beb13so1114435a12.2; Thu, 14 Aug 2025 22:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234180; x=1755838980; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mi5PFbe1K4XbqRUhP6Ms3ZRXGTgHp0ZImPelGcEgGdY=; b=YA+2Fbe55RznJOf3YF/2hHonbbMfGyEXNmRkxgggk7Vcy1l2YeZDFoOM6tVjp1PH0x eof6RYKeu5PKAiOnolDGIhuBplM4rD6g6EUF5ZI44LZ4jo3GjrBUvSKoBlItcgLC4R+4 1urZq/BazExo3LvG0j5i3bwHg+gJMIQULYf7dqr32dTNa+Rs2KdSbdqXf8zUa2pI7bQ9 e6MUeXNMBNa4w883v3y2Q4D4gSkEedEFj4+fQfHCGusWVYm4eoTA1J0xUd+gMa3IvR8o azybg37YCuC4ths5/XLMNuFKzMxLpKmx+c5mrYE3wWCycgmIx5J4FPOHn+ARYxF3IHDU xK0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234180; x=1755838980; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mi5PFbe1K4XbqRUhP6Ms3ZRXGTgHp0ZImPelGcEgGdY=; b=lrD3qsFhzl3Li6uMKkV4olRjTofSWefGThsLFr9jpCrkjX+esZBRQByfIh19uoWUla K+UM6XLdLUmZsvQBOb5xP47lwdjm8xOC/qOY3uzGBVo5Vo8AZ1fc8fNfNa88/Z5jj0qi BfGRNEm2eEMgiovW3C7xec/mzu6gHWDvegfw8zyxRrtr8qkT8WjiLLH/Ok0Ers6xXEHT HNNXAgUie9B/iuS1odcRrOVVTdSMMP1E21tA107uFAX+Z/TKc+AhbCBchOd2hcyJPe89 xnIQ52TJK54FkxpvPjjBnc1IVt8DaNtfUlv2wc0IuizNiJ8wreng2LYfQA/gy8YF9FSX 5cgQ== X-Forwarded-Encrypted: i=1; AJvYcCU9eF5aqh8v0J/v/iFWg92ic0IesVkgrJszTcQJQBnHIDFW+0m5hYi4vi1LB5C882AD6mrxj0O3r3U=@vger.kernel.org, AJvYcCVyl7RMlpAtlkgU9vlya9rm83VhbGnZnbd+3ytTykq31moAbTwvyeCSIT9MT/6KBsAaBsRi52lW@vger.kernel.org, AJvYcCWJdTDOZlHCvR3eFS8oY2/MyBR6pvayi9aHZ7Mn0KDJFr570bWIOhlek+WmlIM6l2oGtOI4NDYIBNaEVaZ9@vger.kernel.org, AJvYcCWsVsWl1L4D01KycyeYRiFC11CDXiIFtI17uLmg0xLBw2n6jorY96SgJNCgt6OjgUJ4G1wKwVhw1W9i@vger.kernel.org X-Gm-Message-State: AOJu0Yzt35vQ+Tko2Tz815Rq03qvjQH+Z0o+48dHq/2XYriQZ52hZ2ho Cjna7cDzLuLyPw+gVtbJEIMRDgiYCTFWOWRdH5Vot/LI49drmAT+9hzs00Va6g== X-Gm-Gg: ASbGncvYOWk/SKFVJQSEq3cvE4vLnLlK3vw6YjQ0y04kXpw4O2XhdnjvGl6c+TodtBt f55U2CXovFGN9m9IcVthIqcTGQa6+BCeh08GTTvbW+W8nA6oScDuNDDSI9qC07dCh570PlKNPYG sgdMYHfcH5vqRx0mdwN/5zXwwBT3vpHkjg5ooD+ndlgUeRe8TefLoYl8LclETb0angP5lqs1H6s +DWiGShbhxXVYQvam8+cBUVmz93aM5PaRiTZj4n606jkgZOk3WnCabyUDHjDndcdYgaEwnSdhI8 VUA02P1u1nDF9dzQ4HZvmIkvRyKVOjEW/buB+er//wvGwPbsm+WWNRwLQ9iqaQl1uP63vB+5Etg 5VsoJjQGJnpRDvfF7HuE1xcOhvgZxuUxD+EGrWUqbaeNHsqyarNgQvu2eHsUHdF7+nzCqscyb8j 88MdW5Kdn/ajsRdAuqTwm/g2X6ifU= X-Google-Smtp-Source: AGHT+IHfW2tMpo7JSMRUfWuqJPTI95KykdEA+sXXbpzW28CCs6+DYKpACzkzoqJ7Hv9T5S6Ux64oUg== X-Received: by 2002:a17:903:1ad0:b0:242:b315:ddaf with SMTP id d9443c01a7336-2446d6eeb19mr12372625ad.7.1755234180198; Thu, 14 Aug 2025 22:03:00 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.02.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:02:59 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 7/8] net/handshake: Support decoding the HandshakeType Date: Fri, 15 Aug 2025 15:02:09 +1000 Message-ID: <20250815050210.1518439-8-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis Support decoding the HandshakeType as part of the TLS handshake protocol. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4 Signed-off-by: Alistair Francis --- include/net/handshake.h | 1 + include/net/tls_prot.h | 17 +++++++++++++++++ net/handshake/alert.c | 26 ++++++++++++++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/include/net/handshake.h b/include/net/handshake.h index 8f791c55edc9..d13dc6299c37 100644 --- a/include/net/handshake.h +++ b/include/net/handshake.h @@ -54,6 +54,7 @@ void handshake_sk_destruct_req(struct sock *sk); bool handshake_req_cancel(struct sock *sk); =20 u8 tls_get_record_type(const struct sock *sk, const struct cmsghdr *msg); +u8 tls_get_handshake_type(const struct sock *sk, const struct cmsghdr *cms= g); void tls_alert_recv(const struct sock *sk, const struct msghdr *msg, u8 *level, u8 *description); =20 diff --git a/include/net/tls_prot.h b/include/net/tls_prot.h index 68a40756440b..5125e7c22cb3 100644 --- a/include/net/tls_prot.h +++ b/include/net/tls_prot.h @@ -23,6 +23,23 @@ enum { TLS_RECORD_TYPE_ACK =3D 26, }; =20 +/* + * TLS Record protocol: HandshakeType + */ +enum { + TLS_HANDSHAKE_TYPE_CLIENT_HELLO =3D 1, + TLS_HANDSHAKE_TYPE_SERVER_HELLO =3D 2, + TLS_HANDSHAKE_TYPE_NEW_SESSION_TICKET =3D 4, + TLS_HANDSHAKE_TYPE_END_OF_EARLY_DATA =3D 5, + TLS_HANDSHAKE_TYPE_ENCRYPTED_EXTENSIONS =3D 8, + TLS_HANDSHAKE_TYPE_CERTIFICATE =3D 11, + TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST =3D 13, + TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY =3D 15, + TLS_HANDSHAKE_TYPE_FINISHED =3D 20, + TLS_HANDSHAKE_TYPE_KEY_UPDATE =3D 24, + TLS_HANDSHAKE_TYPE_MESSAGE_HASH =3D 254, +}; + /* * TLS Alert protocol: AlertLevel */ diff --git a/net/handshake/alert.c b/net/handshake/alert.c index 329d91984683..7e16ef5ed913 100644 --- a/net/handshake/alert.c +++ b/net/handshake/alert.c @@ -86,6 +86,32 @@ u8 tls_get_record_type(const struct sock *sk, const stru= ct cmsghdr *cmsg) } EXPORT_SYMBOL(tls_get_record_type); =20 +/** + * tls_get_handshake_type - Look for TLS HANDSHAKE_TYPE information + * @sk: socket (for IP address information) + * @cmsg: incoming message to be parsed + * + * Returns zero or a TLS_HANDSHAKE_TYPE value. + */ +u8 tls_get_handshake_type(const struct sock *sk, const struct cmsghdr *cms= g) +{ + u8 record_type, msg_type; + + if (cmsg->cmsg_level !=3D SOL_TLS) + return 0; + if (cmsg->cmsg_type !=3D TLS_GET_RECORD_TYPE) + return 0; + + record_type =3D *((u8 *)CMSG_DATA(cmsg)); + + if (record_type !=3D TLS_RECORD_TYPE_HANDSHAKE) + return 0; + + msg_type =3D *((u8 *)CMSG_DATA(cmsg) + 4); + return msg_type; +} +EXPORT_SYMBOL(tls_get_handshake_type); + /** * tls_alert_recv - Parse TLS Alert messages * @sk: socket (for IP address information) --=20 2.50.1 From nobody Sat Oct 4 14:14:57 2025 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BA9A272E67; Fri, 15 Aug 2025 05:03:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234188; cv=none; b=Gj+ErXRFvRW6Co0D20bMt4f/A6I5L/nmtEJK46xPk501V3MBa1lOyNQ3q8uGvNiwWrCotHci0q0kEdmt9W72Rru/rXUBBYlOsmhjX+9NFqieNa6FYw7sCJGt5iR2/Ps3YLy4+nZXyv6DVHNWof/Kco1PSqkEdBy58Z4+MqZ7n6Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755234188; c=relaxed/simple; bh=dCh75Wq3hVwvqLlJBVYMaqoz++i9yIWJwQlUb56DQME=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mMukP/bbCT/TFOURIo1r1iMNxE4gWaN+MDRAECvmBFrEF0p6ZeGTYUBkqXKqbvxl73v9rwEWQwdsrzaA5BV1PpKIQzaAu02CuiNcLrfXsa5UutfEZVjKA5TMy3lKqsWe3E5jsTTqAZh9SwgeJJ46FX++TDX+CFudWbUSMnalDrg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d/9uAyEy; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d/9uAyEy" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-76e2ea6ccb7so1294308b3a.2; Thu, 14 Aug 2025 22:03:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755234186; x=1755838986; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gb3D+2Y2P+VKDJSul4hdca7kG6zpe2ME/ptwlX9aheU=; b=d/9uAyEy/pk3QQDoG6CwvkbsGMbLKeThE/I3yBxDSOp4YxJwLRgixh+wkOixWwaMeK ntTB7d9vyTUeNz2f0vD32Q4zjh0hlRG9oFVxBOWEiOvqosJ/0iOlKUJXpGbDvkC+w4wV 0pb/6sEaErm8cmlKZlPx1ct47fO0gL0LGK6qIWSBDoRv/1r0o1qKA6VqUaGTp+ICOHB1 fsS2Txf5ZcOTCEOjb5+QvOfoxBZAxOvsUxV0TZ6sSdDX8lh0mTyvSLDA5J0TQ4rD8HWP gEk1dS+jqTiMpM9WhPyvmlY+qKM2hvhV9WNwWqIUrT742cRpS5ew+gmYIw32RLnHwnyS x10A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755234186; x=1755838986; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gb3D+2Y2P+VKDJSul4hdca7kG6zpe2ME/ptwlX9aheU=; b=FhPleoWWFREyg8DbKbE/45H6GImdSp59vJEyl+CTXH9WUjpFH/fh4vXjxOhMm4ywxm Me+2aCh7jGaZ97FPB0JNkKPLUQwoKb4AQ2LpQcTqRWZhcclxD8RdqD5qNC6lcp7Ai+An JLsF3O98DKUZwJ2SivcEoaZYTfZap7ANGMWATXoa6ZQLRwJrp46WKnoRYvw/LptoZpVz snIr9fN6apGPgw7K66yK9ul4Arj9i0WcN4Wv/FNXFgM7dHNUeFTHQnK5MXPmMhXf0GdS zYArBZS6Gcs/aSviqCWAR76YjxkDNavYxGkZKA7FnRp2WCk3MZPTYjKnDbFWSamqptR1 mWkg== X-Forwarded-Encrypted: i=1; AJvYcCU6J2k7xy1J+kvqBlRlz4oPQOwGJnv1nDrBymRUp0HxuBcXawTq8NfuZtBPIg70/STUWqry7rAmeD8=@vger.kernel.org, AJvYcCU8RFqsLa5d5+f+lT+dhglE09XPtG+G2YvbS/bzu0Yfp6lv8NydhlNscridai2CEVzkNupQ4vSx@vger.kernel.org, AJvYcCV+LuO4oEu4Ei+wM3vUrROf2kj/4vLZWFqE3ldljHiFcwokR+Q7bBSxR4V8qc6n+HSSUPeCSJUTCDeRkpgf@vger.kernel.org, AJvYcCVquweRrbEoY6eSLuI6zsWYXa8TqxW8rE/FGYtgKhlRxoz/er9BjRJj8ImUgpQhSNiWm/tR4q5RVXky@vger.kernel.org X-Gm-Message-State: AOJu0YxlF7qihy13PGxbEImwIRdejSJt4oxfdr/aowRU/+q/N3UUBwRK qriWEI6bLDlKusXQTYtLnbztUW9XrTVtPokTXw6if1cIlYfAlA8zf8ap X-Gm-Gg: ASbGncvB02ZxSTjRZj3pkSWIZ54UU5eZnA1pbRHg2/a6NrT0bHk20Zhi1xzqQeCL1pQ 7Y28I4+s+GvOPvenmbRDR/yMA1x7X5sU9pTCxj0GtZG1zSZV2kHWFk9BoTCh6AVoDf4E7Ux/XFL Dr52ZgtXhV/CckPhojKcF2ga8B3ALHqAO0Kopql/24yJWcxuTbVL5XDCrolNHFt6G2IKZKyUpSB ZWkXHvVkzWJeYE6G0SHiroxzfIpBhwxvTRP27Eei+5dI8ckOZcBZDojSj4aSbJaqq12kQt+O6At fzUPhXGGF2+e06ydvpuxfgRkX1L1RR9b30tQbE65db2vE8UCyGgFJVPgK9rzguoxz8jyGP6t6L9 SwSOpL4ZOLytekM+BWd0ShdGSFe+34HW1uoAabESKVOv2UdAlFSbJ0s9c6TsJBfkY1gnJQu+Bag gvz0WX8QfUcsMpuMT/lfh/dkQXsLg= X-Google-Smtp-Source: AGHT+IFCN3/82QbT1VacGPyrRYv9/F/PPZnJ8Gac/QiInZA+wk35khY28zaLI33nJg2szq2eps4NcA== X-Received: by 2002:a17:902:e948:b0:242:3855:c77a with SMTP id d9443c01a7336-2446d8c6388mr12741515ad.34.1755234185896; Thu, 14 Aug 2025 22:03:05 -0700 (PDT) Received: from toolbx.alistair23.me (2403-580b-97e8-0-82ce-f179-8a79-69f4.ip6.aussiebb.net. [2403:580b:97e8:0:82ce:f179:8a79:69f4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2446d53c6e1sm5128645ad.115.2025.08.14.22.03.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Aug 2025 22:03:05 -0700 (PDT) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: chuck.lever@oracle.com, hare@kernel.org, kernel-tls-handshake@lists.linux.dev, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-nvme@lists.infradead.org, linux-nfs@vger.kernel.org Cc: kbusch@kernel.org, axboe@kernel.dk, hch@lst.de, sagi@grimberg.me, kch@nvidia.com, alistair23@gmail.com, Alistair Francis Subject: [PATCH 8/8] nvmet-tcp: Support KeyUpdate Date: Fri, 15 Aug 2025 15:02:10 +1000 Message-ID: <20250815050210.1518439-9-alistair.francis@wdc.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250815050210.1518439-1-alistair.francis@wdc.com> References: <20250815050210.1518439-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Alistair Francis If the nvmet_tcp_try_recv() function return EKEYEXPIRED or if we receive a KeyUpdate handshake type then the underlying TLS keys need to be updated. If the NVMe Host (TLS client) initiates a KeyUpdate this patch will allow the NVMe layer to process the KeyUpdate request and forward the request to userspace. Userspace must then update the key to keep the connection alive. This patch allows us to handle the NVMe host sending a KeyUpdate request without aborting the connection. At this time we don't support initiating a KeyUpdate. Link: https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.3 Signed-off-by: Alistair Francis --- drivers/nvme/target/tcp.c | 59 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 5eaab9c858be..1dc6fa28d08c 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -175,6 +175,7 @@ struct nvmet_tcp_queue { =20 /* TLS state */ key_serial_t tls_pskid; + key_serial_t user_key_serial; struct delayed_work tls_handshake_tmo_work; =20 unsigned long poll_end; @@ -836,6 +837,11 @@ static int nvmet_tcp_try_send_one(struct nvmet_tcp_que= ue *queue, return 1; } =20 +#ifdef CONFIG_NVME_TARGET_TCP_TLS +static int nvmet_tcp_try_peek_pdu(struct nvmet_tcp_queue *queue); +static void nvmet_tcp_tls_handshake_timeout(struct work_struct *w); +#endif + static int nvmet_tcp_try_send(struct nvmet_tcp_queue *queue, int budget, int *sends) { @@ -1114,7 +1120,7 @@ static int nvmet_tcp_tls_record_ok(struct nvmet_tcp_q= ueue *queue, struct msghdr *msg, char *cbuf) { struct cmsghdr *cmsg =3D (struct cmsghdr *)cbuf; - u8 ctype, level, description; + u8 ctype, htype, level, description; int ret =3D 0; =20 ctype =3D tls_get_record_type(queue->sock->sk, cmsg); @@ -1135,6 +1141,29 @@ static int nvmet_tcp_tls_record_ok(struct nvmet_tcp_= queue *queue, ret =3D -EAGAIN; } break; + case TLS_RECORD_TYPE_HANDSHAKE: + htype =3D tls_get_handshake_type(queue->sock->sk, cmsg); + +#ifdef CONFIG_NVME_TARGET_TCP_TLS + if (htype =3D=3D TLS_HANDSHAKE_TYPE_KEY_UPDATE) { + tls_clear_err(queue->sock->sk); + handshake_req_cancel(queue->sock->sk); + handshake_sk_destruct_req(queue->sock->sk); + queue->state =3D NVMET_TCP_Q_TLS_HANDSHAKE; + + /* Restore the default callbacks before starting upcall */ + read_lock_bh(&queue->sock->sk->sk_callback_lock); + queue->sock->sk->sk_user_data =3D NULL; + queue->sock->sk->sk_data_ready =3D queue->data_ready; + read_unlock_bh(&queue->sock->sk->sk_callback_lock); + + return nvmet_tcp_tls_handshake(queue, HANDSHAKE_KEY_UPDATE_TYPE_RECEIVE= D); + } +#endif + pr_err("queue %d: TLS handshake %d unhandled\n", + queue->idx, htype); + ret =3D -EAGAIN; + break; default: /* discard this record type */ pr_err("queue %d: TLS record %d unhandled\n", @@ -1344,7 +1373,29 @@ static int nvmet_tcp_try_recv(struct nvmet_tcp_queue= *queue, for (i =3D 0; i < budget; i++) { ret =3D nvmet_tcp_try_recv_one(queue); if (unlikely(ret < 0)) { - nvmet_tcp_socket_error(queue, ret); + if (ret =3D=3D -EKEYEXPIRED && + queue->state !=3D NVMET_TCP_Q_DISCONNECTING && + queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE) { +#ifdef CONFIG_NVME_TARGET_TCP_TLS + tls_clear_err(queue->sock->sk); + handshake_req_cancel(queue->sock->sk); + handshake_sk_destruct_req(queue->sock->sk); + queue->state =3D NVMET_TCP_Q_TLS_HANDSHAKE; + + /* Restore the default callbacks before starting upcall */ + read_lock_bh(&queue->sock->sk->sk_callback_lock); + queue->sock->sk->sk_user_data =3D NULL; + queue->sock->sk->sk_data_ready =3D queue->data_ready; + read_unlock_bh(&queue->sock->sk->sk_callback_lock); + + ret =3D nvmet_tcp_tls_handshake(queue, + HANDSHAKE_KEY_UPDATE_TYPE_RECEIVED); +#else + nvmet_tcp_socket_error(queue, ret); +#endif + } else { + nvmet_tcp_socket_error(queue, ret); + } goto done; } else if (ret =3D=3D 0) { break; @@ -1798,6 +1849,7 @@ static void nvmet_tcp_tls_handshake_done(void *data, = int status, } if (!status) { queue->tls_pskid =3D peerid; + queue->user_key_serial =3D user_key_serial; queue->state =3D NVMET_TCP_Q_CONNECTING; } else queue->state =3D NVMET_TCP_Q_FAILED; @@ -1843,7 +1895,7 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue, int ret =3D -EOPNOTSUPP; struct tls_handshake_args args; =20 - if (queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE) { + if (queue->state !=3D NVMET_TCP_Q_TLS_HANDSHAKE && !keyupdate) { pr_warn("cannot start TLS in state %d\n", queue->state); return -EINVAL; } @@ -1856,6 +1908,7 @@ static int nvmet_tcp_tls_handshake(struct nvmet_tcp_q= ueue *queue, args.ta_data =3D queue; args.ta_keyring =3D key_serial(queue->port->nport->keyring); args.ta_timeout_ms =3D tls_handshake_timeout * 1000; + args.user_key_serial =3D queue->user_key_serial; =20 ret =3D tls_server_hello_psk(&args, GFP_KERNEL, keyupdate); if (ret) { --=20 2.50.1